CVE-2026-45374
Deferred Deferred - Pending Action
CodeWhale Terminal Agent Shell Access Bypass

Publication date: 2026-05-28

Last updated on: 2026-05-30

Assigner: GitHub, Inc.

Description
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell defaults to true (config.rs:1499: self.allow_shell.unwrap_or(true)) and auto_approve defaults to true (task_manager.rs:297: auto_approve: Some(true)). When a user approves a task_create call (which requires ApprovalRequirement::Required), they approve what appears to be a benign work prompt. However, the spawned sub-agent silently receives unrestricted, unapproved shell access. This vulnerability is fixed in 0.8.26.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-30
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-45374
EUVD
EUVD-2026-32962
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
codewhale codewhale to 0.8.26 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45374 is a critical vulnerability in the CodeWhale DeepSeek + MiMo coding agent, specifically in the task_create tool before version 0.8.26. The tool spawns sub-agents with insecure default settings: allow_shell is set to true, granting unrestricted shell access, and auto_approve is set to true, bypassing additional approval prompts.

When a user approves a task_create call that appears to be a benign work prompt, the spawned sub-agent silently gains unrestricted shell access without further user approval. This allows an attacker to execute arbitrary commands remotely by embedding malicious instructions disguised as legitimate project workflows.

Impact Analysis

This vulnerability can lead to remote code execution (RCE) on your system with high severity impacts on confidentiality, integrity, and availability. An attacker can silently execute arbitrary shell commands without explicit user consent after initial task approval.

  • Unauthorized access to sensitive data (confidentiality impact).
  • Modification or destruction of data or system components (integrity impact).
  • Potential disruption or denial of service (availability impact).
Detection Guidance

This vulnerability involves the task_create tool spawning sub-agents with insecure defaults that allow unrestricted shell access and auto-approval. Detection would involve monitoring for unexpected sub-agent processes spawned by CodeWhale versions prior to 0.8.26, especially those that execute shell commands without explicit user approval.

Since the vulnerability allows silent execution of shell commands, you can look for unusual shell activity originating from CodeWhale processes.

  • Use process monitoring commands like `ps aux | grep codewhale` or `ps aux | grep deepseek-tui` to identify running sub-agents.
  • Check for unexpected shell processes spawned by CodeWhale using commands like `pstree -p | grep codewhale`.
  • Monitor network connections for unusual outbound connections from CodeWhale processes using `netstat -tunp | grep codewhale` or `ss -tunp | grep codewhale`.
  • Review logs for suspicious approval prompts or task_create calls that resulted in shell access.
Mitigation Strategies

To mitigate this vulnerability, immediately upgrade CodeWhale to version 0.8.26 or later, where the insecure defaults have been fixed.

If upgrading is not immediately possible, change the configuration defaults to set allow_shell and auto_approve to false to prevent automatic shell access and require explicit user approval.

Improve user awareness by clarifying approval prompts so users understand when shell access is being granted.

Monitor and audit task_create calls and spawned sub-agents for suspicious activity.

Compliance Impact

This vulnerability allows an attacker to gain unrestricted shell access silently after a user approves what appears to be a benign task. This leads to remote code execution with high impact on confidentiality, integrity, and availability.

Such unauthorized access and execution can result in unauthorized data access, modification, or destruction, which directly conflicts with compliance requirements in standards like GDPR and HIPAA that mandate strict controls over data confidentiality and integrity.

Therefore, exploitation of this vulnerability could lead to violations of these regulations due to potential data breaches and lack of proper user consent or approval for critical actions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45374. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart